Likewise, I see the same "Ptk Challenge Failed" errors show up in logs. Sometimes I've seen it when a client's having temporary issues, other times I'll see it when a client is roaming rapidly. As an example, when someone is walking across campus with a smartphone in their pocket (which never happens..... cough) and it's trying to connect to APs as it moves along. It may move out of range of the AP before the key exchange completes, and I'll see this error. When I spoke with Aruba support about these issues, they didn't seem concerned, though I never could get a straight answer why it would happen with a stationary client. I'd be very interested to hear what you learn about it. :)
FWIW, I'm running AOS 6.3.1.11 with AP-225s here. OKC disabled, PMKID enabled. Derek Johnson | Data Communications Coordinator FORT HAYS STATE UNIVERSITY 415 Lyman Dr. TH 101, Hays, KS 67601 (785) 628 - 5688 | djohn...@fhsu.edu From: "Wang, Yu" <ywan...@fsu.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: 09/24/2014 10:19 AM Subject: Re: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> I echo what Ryan described here. Ryan alerted me of this issue and after changing user logging level to notification on our Aruba controllers, we got quite a number of ?Ptk Challenge Failed? in our logs. We have both OKC and Validate PMKID enabled and have not changed any of the settings as I saw Aruba engineers gave conflict statements. Yu Wang ____________________________ Network Architect Information Technology Services The Florida State University 850-645-6810 yu.w...@fsu.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H Sent: Wednesday, September 24, 2014 10:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 We?ve had complaints for a while that would come in sporadically, but didn?t pay them much mind as it was always difficult to reproduce. The complaint was with Apple devices (normally OSX) that would just drop connectivity and then reestablish moments later. People would complain that our secure SSID (our primary EAP-TLS WPA2-Ent SSID) was not stable. It was always from Apple users. Recently, however, one of our employees with an Apple running OSX (Yosemite) started to have the problem routinely on our PSK SSID. When I turned on debugging in the logs, the following message was logged every time he dropped: Sep 5 10:53:48 :501105: <NOTI> |AP RB_House_016@172.28.65.99 stm| Deauth from sta: 48:d7:05:bf:28:e5: AP 172.28.65.99-00:1a:1e:52:dd:51-RB_House_016 Reason Ptk Challenge Failed When I did a google the Ptk Challenge failed, it turned up an Airheads forum that said that since OSX devices don?t support Opportunistic Key Caching, having this enabled on your controllers could cause drops on these devices when they roam from AP to AP. We disabled it on both out UNC-Secure and UNC-PSK SSIDs, and yet the user is still having disconnects, and we still see this message when his device drops. We actually see a LOT of these messages in the logs now that I have turned on the proper notification logging, indicating that this error message is either a red herring, or a lot more prevalent in our environment that we had hoped for. I plan on opening a case with Aruba, but before I beat my head against a wall for the next couple of hours with a support engineer, have any of you seen this problem and tackled it? Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
